Why we need a Center for Lessons Learned in Cyber

With this post I want to give you some historical context on the Center for Army Lessons Learned and draw some conclusions for the new domain of cyber conflict.

In 2004, the United States Army, despite fighting a guerilla-type warfare in Iraq, was still training soldiers in archaic fashions. We were training our troops to still fight the Soviet armies, to move as huge units, rather than small units, making small tactical decisions. It took a few years for the Center for Army Lessons Learned (CALL) to be stood up, and for tactics, techniques and procedures (TTPs) from successful units to filter down. As the wars in Iraq and Afghanistan have carried on, directions such as COIN (counter-insurgency) and “hearts and minds” get bandied about. Units broke into small teams, made sure to commit to working with locals (instead of around or over them), and adapted to a changing threat environment. It took time for our huge, bureaucratic military to adjust to small cells of insurgents who were constantly adapting to their different missions. Insurgents used civilian cover, commercial technology and innovation to wage war on a superior, better funded and better trained force.

The Center for Army Lessons Learned provided a crucial asset for leaders to gain knowledge of tried and true TTPs. Mobilizing forces were also able to plug into these TTPs to gain knowledge that would not be available to them otherwise. Anyone could share knowledge, and anyone could consume it (with proper authentication). This allowed the SOCOM side of the house to share with Reserve units from the midwest. The very nature of the these conflicts had soldiers learning on the fly, attempting to complete missions for which they were not trained. However, the resources available at CALL provided soldiers with valuable lessons, and saved lives. Soldiers could find up-to-date TTPs for how to properly run convoy operations, places detainees liked to hide contraband and the latest IED reports. This valuable, non-classified information was also available to training officers everywhere, increasing the value and efficacy of their pre-combat training. It was an unclassified area in which knowledge could be shared, with disclosing intelligence.

This is exactly what the cyber community needs. An enclave of trusted individuals who can share knowledge of attacks, exploits and success. It would be a forum for users to get together and discuss how they were attacked and successful defenses. This group could strengthen the overall cyber IQ of users. Instead of being just for the Army (or a single organization) this organization could welcome trusted users into the fold, and share information. These tips and tricks could improve the posture of many agencies and groups.

This is the first of many posts in which we will examine lessons learned from kinetic combat in Afghanistan and Iraq and how they can (and ought to) be applied to cyber problems. We will update this post as they come out.